[00:00.000 --> 00:03.960]  Good morning everybody. My name is Neil and I'll be presenting on how to use online ads
[00:03.960 --> 00:12.660]  as a reconnaissance and surveillance tool. A little about me, I'm currently a U.S. Army
[00:12.660 --> 00:16.700]  officer, 11 years in the Army. I got three degrees in electrical engineering and computer
[00:16.700 --> 00:25.540]  science. I'm a software developer with the Army and a personal privacy enthusiast. A
[00:25.540 --> 00:30.360]  couple of disclaimers, so all the views I present here are my own and not of the Department
[00:30.360 --> 00:35.340]  of Defense or any government entity. All accounts I used for connecting to research
[00:35.340 --> 00:40.240]  were created by me. I didn't target anybody else that didn't consent to the research.
[00:40.620 --> 00:45.740]  I don't do anything evil with this. And then finally, I'm a newbie when it comes to online
[00:45.740 --> 00:51.320]  marketing stuff, definitely not an expert, I use Qrius. So a little bit of background.
[00:51.760 --> 00:56.540]  Ads and ad targeting are ubiquitous online today. They find a lot of the services we
[00:56.540 --> 01:01.860]  like to use online and there's a lot of consequences of that. One of those consequences was covered
[01:01.860 --> 01:11.880]  in DEF CON 26 by HEX 200B and it really caught my eye. And so what HEX 200B presented was
[01:11.880 --> 01:19.320]  detecting blue team activities with ads. So his research question was, excuse me, as a
[01:19.320 --> 01:23.740]  red team operator, can you detect when someone, like the blue team, is searching for something
[01:23.740 --> 01:30.280]  unique or identifying in Google using ads? And so the strings that he was targeting or
[01:30.280 --> 01:34.680]  the search terms he was targeting was file hashes. And so you have a file hash of your
[01:34.680 --> 01:41.120]  binary or your implant. And one way you can detect if the blue team has detected it is
[01:41.120 --> 01:46.760]  if they start googling strings or hashes of that implant. And if you have ads on those
[01:46.760 --> 01:57.640]  terms, you can detect that and then take cleanup actions as required. As a result, it can be done,
[01:57.640 --> 02:04.720]  but with some considerable limitations that we'll talk about a little bit later. And plenty of other
[02:04.720 --> 02:10.140]  exploring opportunities with different ad platforms and other ways of targeting ads. I thought this
[02:10.140 --> 02:16.520]  presentation was really awesome and it inspired me to do my own research. So here are the research
[02:16.520 --> 02:22.600]  questions I went into some of the testing I did with. And so, first of all, I wanted to see if I
[02:22.600 --> 02:27.580]  replicate the research. I wanted to see if I could target ads specific to individuals. I wanted to
[02:27.580 --> 02:33.040]  see if I could explore other ad platforms beyond just Google, Google AdWords. And I wanted to see
[02:33.040 --> 02:38.420]  if I could over-target ads in a way to allow me to infer information about what ad platforms know
[02:38.420 --> 02:45.520]  about the individuals I'm targeting. So if any of that is possible, I want to also assess if it's
[02:45.520 --> 02:52.220]  practical. Anything from expense, to how reliable it is, to what the setup time required for it is,
[02:52.220 --> 03:00.180]  etc. So one thing to keep in mind going into using online ads for unintended purposes is overall
[03:00.180 --> 03:05.300]  goal is to get people to buy stuff. Ideally, you show ads to everybody most likely to buy something
[03:05.300 --> 03:09.420]  as an ad platform. And not only those people, but getting 100% accuracy really isn't that
[03:09.420 --> 03:15.500]  important. You just need a positive return for the marketers that are your customers.
[03:16.660 --> 03:22.420]  With that in mind, ad platforms are not necessarily optimized for deterministic delivery of ads,
[03:22.420 --> 03:29.340]  delivering ads exactly when you want them to, or high precision and accuracy of the user profiles
[03:29.340 --> 03:38.020]  or folks you're targeting. Online ad platforms, there's a bunch of them out there. They're a big
[03:38.020 --> 03:43.900]  business. The ones I looked at were Google and Facebook. But keep in mind, everybody pictured
[03:43.900 --> 03:50.520]  here has their own organic ad targeting and delivery systems that these techniques could
[03:50.520 --> 03:57.200]  potentially be applied to as well. To scope the research, I came up with a simple threat model.
[03:57.800 --> 04:04.260]  So blue, we have the Roadrunner. Roadrunner is a cyber analyst with the US Army stationed at Fort
[04:04.260 --> 04:11.360]  Meade with a mission of investigating the coyote using OSINT like Google. And red team coyote,
[04:12.220 --> 04:19.240]  a US adversary threat actor that the Roadrunner is researching. He's trying to use ads for evil
[04:19.240 --> 04:33.480]  and detect when the Roadrunner is researching the coyote using ads. So a couple things to keep in
[04:33.480 --> 04:41.780]  mind with the scenario. So the Roadrunner is a Google user in this scenario. And so using a
[04:41.780 --> 04:48.240]  stock Android phone with a Google account signed in and Windows 10 VM with a Chrome browser where
[04:48.240 --> 04:54.000]  the Roadrunner has signed in on Google before and is not in the habit of clearing cookies very
[04:54.000 --> 05:02.720]  often and stuff like that. Scenario for the coyote. So a couple things pointed out here.
[05:02.720 --> 05:10.540]  Coyote is set by domain name, a blog, a business to advertise on that blog, and a number of accounts
[05:10.540 --> 05:19.480]  on the different ad platforms. Right, so here's a couple screenshots of the blog. So coyote in
[05:19.480 --> 05:26.280]  the effort to attract the attention of Roadrunner and hopefully promote his ad getting shown by
[05:26.280 --> 05:33.640]  Google has put some of the search terms that he wants to trigger in Google AdWords in blog posts.
[05:33.640 --> 05:41.380]  And so the way Google shows ads, it's not just how much money you pay, but it's sort of an
[05:41.380 --> 05:46.900]  evaluation of the value of that page you're linking to. And so in this case, if you have keyword
[05:46.900 --> 05:54.040]  matches on the page you're linking to for your AdWords ad, then it's more likely to show. And so
[05:54.040 --> 05:58.640]  Google AdWords and networks, there's plenty of options to go after. The one we're looking at
[05:58.640 --> 06:07.200]  here is AdWords. And those are the paid results that show up in your Google searches. AdWords
[06:07.200 --> 06:12.040]  has a lot of targeting options. So the main one is a keyword search. Anything from a broad or fuzzy
[06:12.040 --> 06:18.880]  match to an exact match, where it's a exact match of the stream you provide, you can combine those.
[06:19.140 --> 06:26.680]  And then you can also combine it with a number of individually broad demographic parameters like
[06:26.680 --> 06:34.420]  language, broad interest category, user location, that when combined, can pretty effectively
[06:35.320 --> 06:41.060]  identify small groups of people. So continue on with options, IP blocking, exclusions, income
[06:41.060 --> 06:50.220]  level, device types. There's more options that you can leverage if you have a Google Ads API key, but
[06:50.220 --> 06:57.540]  not in the standard ad manager GUI. That does require additional vetting, which I was not able to
[06:57.540 --> 07:06.620]  pass, but we'll talk about that later. So here's the targeting methodology that we're using for
[07:06.620 --> 07:14.500]  setting up with Google AdWords, which is largely inspired by HEX 200b, with a little bit additional
[07:14.500 --> 07:20.360]  detail filled in. So first, we have to design the AdWords ad, we're using an expanded text ad, and
[07:20.360 --> 07:25.320]  select search terms. In this case, we selected a Bitcoin address that we thought Roadrunner might be
[07:25.320 --> 07:31.460]  interested in. The search term needs to be specific and low volume to make sure it only triggers on
[07:33.420 --> 07:39.000]  roadrunner searches and other people aren't likely to be searching for it, but not too low volume. And
[07:39.000 --> 07:45.540]  so there's minimum thresholds for search activity for different keywords that Google enforces when
[07:46.520 --> 07:54.660]  setting up ads. And so that is one of the primary challenges for conducting this sort of attack. So
[07:56.040 --> 08:01.020]  with with a search term, the way you can narrow it down from a group of people searching for something
[08:01.020 --> 08:07.200]  to the specific people that you want to target is by narrowing the demographic targeting options. And
[08:07.200 --> 08:12.000]  so that those are the things like the location, age that we already talked about. And so if you have
[08:12.000 --> 08:17.540]  enough target information, you can refine the audience down further. There are also limits on
[08:17.540 --> 08:22.580]  how small you can make that audience that will prevent Google from showing the ads or preventing
[08:22.580 --> 08:31.720]  you from buying them. But you can get around that somewhat by broadening your audience to the point
[08:31.720 --> 08:37.120]  that you meet the minimum threshold, but then adjusting the bid modifiers to the specific
[08:37.120 --> 08:44.320]  demographic features that you want. And so in this case, we know our target is between 25 and 34 years
[08:44.320 --> 08:51.040]  of age. And so we boost the amount we're willing to bid for that click up by 200 percent.
[08:53.540 --> 08:59.080]  Google reviews the ads, like the automated process, then eventually Google displays them. So
[08:59.680 --> 09:04.220]  some things to keep in mind. The ads, when you purchase them, aren't necessarily going to display
[09:04.220 --> 09:10.040]  on the first search of the target. Even if that target is in the audience, they might have to
[09:10.040 --> 09:20.180]  multiple times. All right, so ad is under review. Roadrunner is researching bad guys, researching
[09:20.180 --> 09:26.420]  the NotPetya actors and their Bitcoin address. And when we search the Bitcoin address, the Coyote ad
[09:26.420 --> 09:33.520]  pops up in Roadrunner's browser. Here's what that result looks like on Coyote's end. So
[09:34.240 --> 09:38.680]  have that little blip on the impressions. That's showing
[09:40.240 --> 09:44.540]  they got the ad triggered. Triggered once, and it triggered it this time.
[09:46.280 --> 09:53.000]  Going back, it also shows on the right, you can see the exact search term that the user put in.
[09:53.000 --> 09:57.240]  In this case, it was the Bitcoin address by itself. But if there's additional information
[09:57.740 --> 10:01.860]  in the search that triggered, it would appear there for the advertiser to see.
[10:03.320 --> 10:09.240]  All right, more data from the dashboard. So you can see some of the demographics,
[10:09.240 --> 10:16.180]  timing, and device types that the targeted user applied to.
[10:18.550 --> 10:23.930]  All right, so we got that example to work, but that example was somewhat canned.
[10:24.150 --> 10:29.030]  And there are some limitations that RealAttack would have to overcome to make this a practical
[10:29.030 --> 10:35.150]  attack. All right, so targeted keywords would need to have sufficient search volume. And so
[10:35.150 --> 10:39.750]  that precludes using very unique searches without doing legally questionable things
[10:40.390 --> 10:50.070]  on the SEO side, like getting bots to search for the term that you want before you buy an ad item.
[10:50.770 --> 10:54.630]  Ad might not display in the first or first couple target searches, so it needs to be something that
[10:54.630 --> 11:02.490]  the target would be repeatedly searching for if you want a very high accuracy detection rate.
[11:02.950 --> 11:08.030]  There's a reporting delay. In my case, it was up to a day, but ranges from hours to days.
[11:09.130 --> 11:13.970]  And it can be costly to the attacker to do this if the user is quickly on your ad.
[11:14.970 --> 11:19.210]  So in my case, once I finally got the ad to trigger, I got really excited as a roadrunner,
[11:19.210 --> 11:23.850]  and I clicked the ad, and I charged myself $9.40 for seeing my own ad.
[11:26.870 --> 11:32.830]  In the AdWords API, there's plenty more... there's more granular options that you can leverage,
[11:32.830 --> 11:39.490]  as well as all the, you know, additional programming logic or custom logic you choose to implement.
[11:42.630 --> 11:48.350]  All right, so we've covered Google platform. Now we're going to talk a little bit about Facebook.
[11:48.450 --> 11:53.390]  So Facebook, like Google, there's plenty of different ad types and placements.
[11:54.170 --> 11:57.670]  Anywhere from Facebook, Instagram, Messenger, that kind of stuff.
[11:57.990 --> 12:03.930]  And compared to Google AdWords, or Google ad platforms, Facebook offers much more detailed
[12:03.930 --> 12:09.350]  audience targeting options to your entry ad purchaser compared to Google. And so they
[12:11.270 --> 12:16.530]  offer targeting on sort of four categories. Demographics, interest, behaviors, and location.
[12:16.530 --> 12:22.090]  You can combine those with sort of effectively and or not operators. You can do relationship-based
[12:22.090 --> 12:25.990]  targeting and then custom audiences, which we'll touch on a little bit later.
[12:27.110 --> 12:31.650]  So audience targeting, so demographics, so this stuff like age, birthday, gender.
[12:32.610 --> 12:37.250]  This generally coincides to the data that users provide in their Facebook profiles. You know,
[12:37.770 --> 12:43.010]  it's pretty uncanny how well that matches up to information that users are expected to provide
[12:43.010 --> 12:54.060]  Facebook. On the interest side, that generally targets what users sort of have declared that
[12:54.060 --> 13:00.220]  they like on Facebook or groups or joining groups or pages that indicate interest in different
[13:00.220 --> 13:06.140]  topics. And so I think for entertainment, family relationships, different food or drink types,
[13:06.140 --> 13:12.660]  hobbies, that kind of thing. So like to Google targeting parameters, you know, by themselves,
[13:12.660 --> 13:21.480]  these things might not be terribly revealing, but when combined, you can target very specific
[13:21.480 --> 13:33.710]  audiences with these features. And finally, behaviors. Of all the audience targeting
[13:33.710 --> 13:42.630]  options, behaviors is probably the most invasive. And so this combines online and offline activities
[13:42.630 --> 13:49.050]  on or off Facebook, things like email domains you use to create Facebook, the internet browsers
[13:49.050 --> 13:55.730]  that you use to connect to the operating systems, what Facebook assesses your multicultural affinity
[13:55.730 --> 14:01.310]  or sort of cultural preferences are, political beliefs, purchase behavior if you traveled recently.
[14:03.730 --> 14:08.690]  And of all the behaviors, this one seems to draw the most from data collected from user devices if
[14:08.690 --> 14:15.590]  you've consented to the options, which are by generally default for collecting.
[14:17.630 --> 14:24.430]  I can also target by location. This is another place where you can get very specific. So by itself,
[14:24.430 --> 14:31.830]  if you're using one location, you can go anywhere from a broad area to an area at a specific grid
[14:31.830 --> 14:40.550]  coordinate and with a radius from one to 50 miles. So by itself, that's still somewhat broad,
[14:40.550 --> 14:50.390]  but if you combine include and excluded locations, you can get very specific. You can see on the right
[14:52.070 --> 14:57.290]  the Capitol building and some location targeting that will allow you to target people
[14:57.290 --> 15:02.370]  who have recently been in the Capitol building, U.S. Capitol building.
[15:05.730 --> 15:11.390]  All right, so I made a first attempt at a Facebook ad and it didn't go so well.
[15:12.410 --> 15:16.910]  And so before the ad could trigger or do anything with it, the page got unpublished.
[15:17.350 --> 15:23.270]  Facebook seemed to think I was selling fraudulent tickets for something. I eventually got that.
[15:24.410 --> 15:28.630]  So I had to go to plan B and wait a while for the account to get reactivated.
[15:30.030 --> 15:37.990]  To do attempt 2. And so attempt 2, here we are trying to target Roadrunner, where we think he
[15:37.990 --> 15:43.930]  works at Fort Meade, using information that we know the attacker already knows about him.
[15:48.920 --> 15:55.200]  All right, so unfortunately, it didn't get a successful result on the Facebook ads
[15:55.960 --> 16:01.720]  this time, but we did learn some interesting things that should fuel further research. And so
[16:03.660 --> 16:08.520]  ad didn't trigger for our target during the period I had attempted to get it to trigger,
[16:08.520 --> 16:14.800]  but it did trigger for other users, which was strange. And so I did tweak the audience
[16:14.800 --> 16:21.440]  parameters mid-campaign, which might have messed with how it's supposed to work. And
[16:22.820 --> 16:29.160]  some of the errors could be on my end. I'm brand new at this after all. It could be that
[16:29.160 --> 16:35.980]  Facebook's machine learning algorithm that determines audience targeting really isn't
[16:35.980 --> 16:42.020]  optimized for our unintended use case. Or it could be audience targeting is deliberately obfuscated
[16:43.040 --> 16:49.800]  for privacy reasons. The only thing, though, is if Facebook can charge for these clicks,
[16:49.800 --> 16:54.460]  they're outside my audience anyway. So I had to pay for clicks for users that I didn't want
[16:54.460 --> 17:01.620]  my product. So go over a couple other ad targeting features that I didn't get to
[17:01.620 --> 17:09.720]  experiment with, but are still something you should be aware of. And first one of those is
[17:09.720 --> 17:14.400]  customer-tailored audiences. And so the marketing goal for this is target specific people with ads
[17:14.400 --> 17:18.640]  based on previous interactions or third-party data. This is otherwise known as remarketing
[17:19.240 --> 17:24.640]  a lot of marketing literature. So it varies slightly from provider, but
[17:24.640 --> 17:32.660]  what this can look like is basically taking your customer database, taking as business,
[17:32.660 --> 17:39.580]  and uploading it to... uploading everything that's targetable on the platform to an ad platform.
[17:39.780 --> 17:45.380]  So also target this way through website visitors. If your company has apps, you can target through
[17:45.380 --> 17:50.140]  that identifiers embedded in those, as well as third-party data sources if you're paying
[17:50.900 --> 17:57.280]  data brokers or marketing firms. Use is restricted by platforms. There is some additional vetting.
[17:57.560 --> 18:04.360]  Facebook requires a business ads account to use it, and Google requires you to have no violations
[18:04.360 --> 18:13.150]  and pay them a lot of money in ads. Here's an example of what the Facebook custom audience
[18:13.150 --> 18:17.250]  looks like. And so you can target by email, phone,
[18:17.250 --> 18:22.490]  advertising ID on a phone, names, dates of birth, and a bunch of other information.
[18:24.790 --> 18:28.570]  So there's a lot of research already done on exploiting custom audience sizes
[18:30.350 --> 18:37.150]  and defeating some of the protections that ad platforms have implemented for these. And so
[18:37.150 --> 18:44.130]  most platforms implement a minimum audience size. They only provide estimator obfuscated sizes for
[18:44.130 --> 18:53.330]  audiences when you upload your customer database. And some other platform-dependent things that
[18:53.330 --> 19:03.170]  aren't necessarily public knowledge for the ad purchasers. So I've got three papers here that I
[19:03.170 --> 19:10.230]  recommend you take a look at if you're interested later on how some smart folks figure out how to
[19:10.230 --> 19:15.970]  defeat that and we're able to target individual people using these custom audiences.
[19:20.010 --> 19:26.830]  One example is an article from Gizmodo a couple years ago, 2018 I believe. So one of those
[19:26.830 --> 19:31.450]  researchers worked with a journalist and the journalist was able to target that researcher
[19:31.450 --> 19:39.090]  using an office phone number that he never provided to Facebook, and with the conclusion
[19:39.090 --> 19:45.170]  being that Facebook somehow collected that office phone number for that researcher through some other
[19:45.170 --> 19:56.870]  third-party source. Twitter also got into trouble for using personal data that wasn't supposed to
[19:56.870 --> 20:00.850]  be for advertising for advertising, in this case two-factor phone numbers.
[20:03.330 --> 20:08.710]  I'm running a little bit out of time here, but let's very briefly go over this. But ads
[20:08.710 --> 20:17.010]  over-targeting, basically this is over-targeting ads in a way, over-targeting ads using all
[20:17.010 --> 20:21.690]  possible combinations of sort of the parameters you want to enumerate, seeing which ads trigger,
[20:22.290 --> 20:26.650]  and using the ad platform to tell you information about that user.
[20:27.470 --> 20:33.950]  So here's an example for enumerating operating system and browser for our Roadrunner. I didn't
[20:33.950 --> 20:39.030]  get to test this because we couldn't get the Facebook ad to work, but plan on experimenting
[20:39.030 --> 20:44.310]  with that in the future. All right, so we've talked about all the creepy things you can do with ads,
[20:44.310 --> 20:52.150]  so we'll talk now about mitigations and defenses. So if you're ad platform, we've seen that
[20:53.250 --> 20:58.970]  doing things like adding noise, noise to the target of advertisements,
[20:58.970 --> 21:04.650]  raising minimum sizes of custom audiences, obfuscating audience sizes, and, you know,
[21:04.650 --> 21:08.690]  allowing opt-outs to partially solve the problem or make it more difficult for attackers,
[21:09.030 --> 21:17.130]  give some more options to consumers. But really, there are some still fundamental problems with
[21:17.960 --> 21:23.250]  those approaches. And so the problem is that individual ad targeting is sort of inherent to
[21:23.250 --> 21:28.390]  the business model of a lot of these ad platforms. It's what their primary customers, the marketers
[21:28.390 --> 21:35.270]  and the purchasers of advertisements, what they want. It allows those advertisers to
[21:35.850 --> 21:41.050]  demonstrate that this ad directly led to this sale, and people can make very data-driven
[21:41.050 --> 21:46.670]  arguments to their executives about how their marketing budgets are making a difference.
[21:47.130 --> 21:56.720]  All right, so some of the things that Facebook has added to at least provide some transparency
[21:56.720 --> 22:02.540]  with this is ads library. And so you can look up ads that are active on Facebook recently using
[22:02.540 --> 22:13.180]  their ads library. So mitigations for marketers. Same fundamental problems here. Individual
[22:13.180 --> 22:20.240]  targeting is what marketers want. There's some things they could do, whether it's adjusting
[22:20.240 --> 22:26.500]  privacy policies to provide more transparency or minimize customer information. But ultimately,
[22:26.500 --> 22:34.830]  that undercuts their effective targeting of users in the bottom line. All right,
[22:34.830 --> 22:40.910]  so what can individuals do about this kind of thing? So good news is there are some easy wins.
[22:41.070 --> 22:47.770]  You know, some of that good internet browsing hygiene will prevent a lot of these techniques
[22:47.770 --> 22:52.290]  from being used on you. So signing out of accounts in browsers you don't need, including browser
[22:52.290 --> 23:00.390]  cookies, using privacy-friendly browser plugins and settings, using some OPSEC on search engines,
[23:00.970 --> 23:05.390]  using privacy-protecting search engines, that kind of stuff. There's also some less convenient
[23:05.390 --> 23:10.850]  and possibly more paranoid things you can do. One thing I noticed, targeting the ads, especially
[23:10.850 --> 23:16.890]  going by location. Google trusts the location and pulls off of mobile devices, but if you use
[23:16.890 --> 23:24.090]  location services, much more than any sort of data you self-report. But the problem is that's
[23:24.090 --> 23:28.590]  harder to avoid, especially when, if you're using an Android phone, most Android phones are going to
[23:28.590 --> 23:32.570]  require you to set up a Google account. You have Google Play services and all of its information
[23:32.570 --> 23:45.520]  collection on your handset. All right, so we talked about sort of the theoretical uses of ads for
[23:46.900 --> 23:54.100]  different purposes. Here's a couple of examples. So back in 2018 or 2019, I've seen an article about
[23:54.100 --> 23:59.140]  FBI running Facebook ads to target Russians in Washington, presumably to get them to come
[23:59.140 --> 24:03.360]  into the field office and tell them what they know about Russian interference.
[24:05.400 --> 24:12.600]  Also more recently, political groups, in this case, political groups looking to mobilize
[24:13.580 --> 24:16.720]  protesters at recent protests against police brutality
[24:18.540 --> 24:24.900]  to target them with ads to continue the political fight in support of their chosen cause.
[24:28.080 --> 24:34.900]  One thing we run into that's hard to mitigate here is you can control somewhat what you provide
[24:34.900 --> 24:39.880]  yourself, but it's very hard to control what other people provide about you. And the ad platforms have
[24:39.880 --> 24:45.200]  shown generally to leverage information other people provide about you. Same thing from government
[24:45.200 --> 24:53.280]  public records to data brokers, other marketers, other third-party sources, and finally friends
[24:53.280 --> 24:59.530]  sharing contact lists, emails, and other personnel info with Snoopy apps and services. So you might be
[25:00.220 --> 25:06.060]  individually be Mr. or Mrs. Super Opsec, but if your friends are using these apps
[25:06.060 --> 25:09.520]  and uploading their contacts and not paying attention to
[25:10.060 --> 25:14.600]  privacy settings, you can still be very exposed to all this.
[25:16.340 --> 25:20.900]  That's some conclusions. I think we've demonstrated that there's some potential abuse
[25:20.900 --> 25:29.240]  of these systems. A lot of the techniques that I proposed or tested are sort of inherent, or they
[25:29.240 --> 25:34.720]  take advantage of inherent features of ad delivery platforms. It'd be hard to completely fix these
[25:34.720 --> 25:40.900]  sorts of issues on a major overhaul. Low budget ad surveillance, like I was doing, it's probably only
[25:40.900 --> 25:49.200]  effective in very specific scenarios. But given more budget and more expertise, I could see this
[25:49.200 --> 25:54.480]  being effective for people who know what they're doing with it.
[25:55.320 --> 26:00.400]  Also sort of reinforces surveillance capitalism is still pretty creepy. And finally, I definitely
[26:01.420 --> 26:04.600]  underestimated the amount of time I should have spent on this and I procrastinated.
[26:05.020 --> 26:11.500]  Hopefully it doesn't show too bad. Some future research plans, plan on trying to get those API
[26:14.420 --> 26:20.300]  key accesses and accounts. See if I automate some of the ads management, like a lot of the
[26:20.300 --> 26:27.580]  professional researchers did. Score over-targeting, see if that's something that can be done or not.
[26:27.580 --> 26:32.120]  Hopefully find some experts to work with and better know what they're doing.
[26:33.680 --> 26:38.320]  Finally, I'd like to give some thanks, first of all, to Hex200B for his initial presentation that
[26:38.320 --> 26:44.920]  inspired a lot of my work. A big thank you to Crypto and Privacy Village staff for putting
[26:44.920 --> 26:51.620]  on this event. And finally, to all the attendees that decided to spend time in this presentation,
[26:51.620 --> 26:56.200]  especially DEF CON, there's infinite number of presentations or other activities you could be
[26:56.200 --> 27:02.060]  doing. Right now, thank you for choosing to spend it with Crypto, Privacy Village, and myself.
[27:02.540 --> 27:06.520]  At this time, I open it up for questions and comments.
[27:15.250 --> 27:19.190]  All right. Thank you to Neil M. for this terrific talk that we just saw,
[27:19.190 --> 27:24.770]  online ads as a recon and surveillance tool. We have our speaker here to do a little bit of Q&A
[27:24.770 --> 27:31.730]  with us. Hi there, Neil. I want to first mention Neil has put a link in the Discord Q&A channel
[27:31.730 --> 27:37.350]  to a PDF of the presentation to be more easily referenced if any of you have questions to take
[27:37.450 --> 27:42.450]  a look at that. We have something that is sort of a question, sort of a comment that I found
[27:42.450 --> 27:46.770]  interesting and thought maybe you could you could comment on, Neil, that the subtle implication
[27:47.330 --> 27:52.110]  of your talk is that emitting unique strings can help bad guys, even though we traditionally think
[27:52.110 --> 27:55.990]  of this as something that helps good guys, for example, to do AP signatures. Is that something
[27:55.990 --> 28:03.470]  you can comment on? Yes, definitely. And it was touched on during Hex200B's talk a couple of
[28:03.470 --> 28:09.510]  years ago as well. And so the one thing he found in either through his research or asking other
[28:09.510 --> 28:18.570]  folks is like antivirus companies, for example, will take out ads for things like file hashes
[28:18.570 --> 28:23.430]  and stuff that they recently discovered for detection purposes as well as promoting their
[28:23.430 --> 28:32.370]  own services. But it definitely goes both ways. Google can see what you're doing and
[28:32.370 --> 28:37.410]  if Google can see it, then their marketing customers can potentially see it as well.
[28:38.790 --> 28:43.170]  Great. Well, I actually found this to be a really interesting talk because I started out my career
[28:43.170 --> 28:50.630]  right after college as a temp doing AdWords ads at Google. So I want to thank you for a
[28:50.630 --> 28:56.890]  fascinating contribution. Have you had any pushback from Google or any intervention or
[28:56.890 --> 29:01.650]  have you been keeping this enough on the DL to evade the eye of Sauron there?
[29:02.130 --> 29:07.950]  Oh, well, we'll see after this talk, I guess. But yeah, so far, I haven't gotten enough
[29:07.950 --> 29:11.990]  attention to even get my API key approved yet. So I think I'm okay.
[29:13.610 --> 29:18.130]  Wonderful. All right. Well, thank you again so much for this talk. We hope you have a great
[29:18.130 --> 29:22.970]  rest of your DEF CON. All right. Thank you. You as well. Thank you. Take care.
